On Tue, 14 Mar 1995, Rob Hartill wrote:
> > Just what the fsck is going on anyway?
>
> it is getting messy. I still think we should all implemement one
> patch at a time together. At the rate (and hours) some are working
> we can probably manage a couple of patches a day. It's far too
> easy to grab the next apache-pre and without knowing what's in it
> or how it is supposed to work.
>
> If this is acceptable to the rest of the group, I think we should
> order the patches, and start a systematic processes of dicsussion,
> implemenations and testing.
>
> Why not stop adding new patches for now, and just properly process
> the ones we have. Then accept more patches.
Okay, I apologize if my productivity spurt over the weekend has caused
problems, I just wanted to take rst's momentum and not let it fall
short - but it seemed like all the bug fixes were uncontroversial enough
(like the -Wall modifications) to merit testing it out. Finally I've
been doing all the patches by hand, and testing out each feature, to make
sure they've all happily worked together, as so far they have.
Here's the list of patches and slight modifications I've put into my
working copy. With the exception of http_mime_db.c (rst's content
negotiation) and a large chunk of http_alias (drtr's malloc() changes)
I've done all mods by hand and most were minor enough to be verifyable
that security holes shouldn't have been created.
implemented by RST into apache-pre.tar.Z:
PatchID Fixes:
B1 Cert scribbling hole (modified to require -DMEMHOGBUTSECURE by brian)
B2 SO_LINGER set on client sockets B3 Server always pauses 3 seconds for
scripts (configurable now with -DBABYKILLER)
B4 <!--#config timefmt --> not always working
B7 Allow directive redundant
B8 (integrated with P9)
P9 initgroups() done once per connection
P10 MIME headers read 1 character at a time (the patch list at
http://www.steam.com/~cliffs/httpd/list.cgi?id=10 suggests that
drtr and rst had different solutions, yet I see patch.drtr-read listed
as a patch in rst's apache-pre, so I presume he integrated the latter.)
P11 open_locale() and tzset() done once per connect
P12 Shared-memory name server cache (this works fine on BSDI and SGI as
as far as I can tell (i.e. it doesn't crash)).
B17 raise queue size in listen() (though this really should be a
compile-time option)
B18 Status; 302 should work, and doesn't
Now, the ones I've put in:
B22 drtr's Fix another stack scribbling hole
B23 AddType for *.cgi, *.shtml won't work in .htaccess
B24 Adds content-type negotiation
-- Custom error responses (httpd/patches/custom_error_responses_patch_E8.txt)
-- drtr's malloc() changes (httpd/patches/alias.patch)
-- roy's date patch for correct HTTP (date_patch.txt)
-- roy's patch for directory listings that use '..' instead of '../' (dir_patch.txt)
-- KEEPALIVE option on setsockopt for buggy PC clients
-- Randy's -Wall cleanups (though apparently he's removed them from the
patch directory on hyperreal)
For all the patches without official ID's I'll go create entries for
them. Cliff, if you want to re-add all those patches yourself to a build
you're making locally fine, but my build is in /export/apache/apache-pre
right now (not on the web site).
Finally, here's what I think the status is on the other patches:
B5 XBITHACK not honored on (!--#include--)ed files
Andrew, I couldn't find code for this - as soon as it's uploaded I'll
integrate it, sounds pretty simple
B6 access files written w/o O_APPEND (httpd/patches/log_patch.txt)
I tried putting this in and it caused core dumps when it went to
write, so I left it until later. a related patch
(httpd/patches/elog_patch.txt) should be discussed before
implemented - It also apparently doesn't have a patch ID.
no B13
P14 DBM-based user databases for HTTP authentication
(I haven't yet put this in as I want to make it more portable
and more generalizable - use both NDBM and GDBM, etc.)
E15 add new CGI variables
(There is only *one* new CGI variable I use and that is
DOCUMENT_ROOT - anyone contest to adding this? it should be
documented as *experimental*, of course, and not necessarily a
feature :)
E16 Allow any URL to invoke a script
Rob (Hartill), is this your *.doit patches? Is there a conflict between
this and content negotiation? I don't see any code...
B19 Embedded blanks in headers don't work
Rob (Thau), did you put this into apache-pre?
E20 Add multi-homed server support
This is not a minor patch, and has implementation questions - let's
deal with it after we deal with earlier patches.
O21 'Timeout' config setting missing from httpd.conf
Seems like a wishlist patch, but also doesn't sound too complex.
Anyways, I'll work on making this document sync with cliff's patch list.
Brian
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@hotwired.com brian@hyperreal.com
http://www.hotwired.com/Staff/brian/